2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2021-01-07 15:22:19 +01:00
# Copyright 2007-2021, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Scheduled tasks
#
#################################################################################
#
2020-10-22 00:13:42 +02:00
InsertSection "${SECTION_SCHEDULED_TASKS}"
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
ATD_RUNNING=0
2016-04-26 12:58:17 +02:00
CROND_RUNNING=0
#
#################################################################################
#
# Test : SCHD-7702
# Description : Check cron daemon
2016-07-24 17:22:00 +02:00
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
2016-04-26 12:58:17 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
2017-04-30 17:59:35 +02:00
if IsEmpty "${FIND}"; then
2016-04-26 12:58:17 +02:00
LogText "Result: no cron daemon found"
2017-03-13 12:00:27 +01:00
else
2016-04-26 12:58:17 +02:00
LogText "Result: cron daemon running"
CROND_RUNNING=1
2016-04-26 13:05:17 +02:00
Report "crond_running=1"
Report "scheduler[]=crond"
2016-04-26 12:58:17 +02:00
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : SCHD-7704
# Description : Check crontab / cronjobs
2016-07-24 17:22:00 +02:00
Register --test-no SCHD-7704 --weight L --network NO --category security --description "Check crontab/cronjobs"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-04-26 21:21:15 +02:00
BAD_FILE_PERMISSIONS=0
BAD_FILE_OWNERSHIP=0
2016-04-26 13:05:17 +02:00
FindCronJob() {
2017-05-31 15:40:39 +02:00
sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
2016-04-26 13:05:17 +02:00
}
2014-08-26 17:33:55 +02:00
2017-04-23 20:06:54 +02:00
CRONTAB_FILE="${ROOTDIR}etc/crontab"
2016-04-26 21:21:15 +02:00
if [ -f ${CRONTAB_FILE} ]; then
2019-03-14 12:32:19 +01:00
${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
2016-04-26 21:21:15 +02:00
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
2016-05-03 12:40:26 +02:00
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
2016-04-26 21:21:15 +02:00
FindCronJob ${CRONTAB_FILE}
2017-04-30 17:59:35 +02:00
for ITEM in ${sCRONJOBS}; do
LogText "Found cronjob (${CRONTAB_FILE}): ${ITEM}"
Report "cronjob[]=${ITEM}"
2014-08-26 17:33:55 +02:00
done
fi
2017-04-23 20:06:54 +02:00
CRON_DIRS="${ROOTDIR}etc/cron.d"
2017-04-30 17:59:35 +02:00
for DIR in ${CRON_DIRS}; do
LogText "Test: checking directory ${DIR}"
if [ -d ${DIR} ]; then
if FileIsReadable ${DIR}; then
LogText "Result: found directory ${DIR}"
LogText "Test: searching files in ${DIR}"
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
if IsEmpty "${FIND}"; then
LogText "Result: no files found in ${DIR}"
2017-03-13 12:00:27 +01:00
else
2017-04-30 17:59:35 +02:00
LogText "Result: found one or more files in ${DIR}. Analyzing files.."
for FILE in ${FIND}; do
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
2019-03-14 12:32:19 +01:00
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
2017-04-30 17:59:35 +02:00
FindCronJob ${FILE}
if HasData "${sCRONJOBS}"; then
2016-04-26 14:06:27 +02:00
for K in ${sCRONJOBS}; do
2017-04-30 17:59:35 +02:00
LogText "Result: Found cronjob (${FILE}): ${K}"
Report "cronjob[]=${FILE}"
2016-04-26 14:06:27 +02:00
done
fi
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
LogText "Result: done with analyzing files in ${DIR}"
2014-09-09 14:49:37 +02:00
fi
2017-03-13 12:00:27 +01:00
else
2017-04-30 17:59:35 +02:00
LogText "Result: can not read file or directory ${DIR}"
2014-08-26 17:33:55 +02:00
fi
2017-03-13 12:00:27 +01:00
else
2017-04-30 17:59:35 +02:00
LogText "Result: directory ${DIR} does not exist"
2014-08-26 17:33:55 +02:00
fi
done
2017-04-23 20:06:54 +02:00
CRON_DIRS="${ROOTDIR}etc/cron.hourly ${ROOTDIR}etc/cron.daily ${ROOTDIR}etc/cron.weekly ${ROOTDIR}etc/cron.monthly"
2014-08-26 17:33:55 +02:00
for I in ${CRON_DIRS}; do
2015-12-21 21:17:15 +01:00
LogText "Test: checking directory ${I}"
2014-08-26 17:33:55 +02:00
if [ -d ${I} ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found directory ${I}"
2017-03-13 12:00:27 +01:00
if FileIsReadable ${I}; then
LogText "Test: searching files in ${I}"
2017-04-23 20:06:54 +02:00
FIND=$(${FINDBINARY} ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder")
if [ -z "${FIND}" ]; then
2017-03-13 12:00:27 +01:00
LogText "Result: no files found in ${I}"
else
LogText "Result: found one or more files in ${I}. Analyzing files.."
2019-03-14 12:32:19 +01:00
for FILE in ${FIND}; do
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
LogText "Result: Found cronjob (${I}): ${FILE}"
Report "cronjob[]=${FILE}"
2017-03-13 12:00:27 +01:00
done
LogText "Result: done with analyzing files in ${I}"
fi
else
LogText "Result: directory permissions are too strict to enter it (which might be good)"
2014-08-26 17:33:55 +02:00
fi
2017-03-13 12:00:27 +01:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: directory ${I} does not exist"
2014-08-26 17:33:55 +02:00
fi
done
# /var/spool/cron/* and /var/spool/cron/crontabs/*
# Search only in one tree, to avoid searching the tree twice
if [ -d /var/spool/cron/crontabs ]; then
2017-03-13 12:00:27 +01:00
FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2017-03-13 12:00:27 +01:00
if FileIsReadable ${I}; then
2019-03-14 12:32:19 +01:00
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
2017-03-13 12:00:27 +01:00
FindCronJob ${I}
2019-03-14 12:32:19 +01:00
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
2017-03-13 12:00:27 +01:00
Report "cronjob[]=${I}"
done
fi
2014-08-26 17:33:55 +02:00
done
2017-03-13 12:00:27 +01:00
else
2019-03-14 12:32:19 +01:00
if [ -d ${ROOTDIR}var/spool/cron ]; then
FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2017-03-13 12:00:27 +01:00
if FileIsReadable ${I}; then
2019-03-14 12:32:19 +01:00
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
2017-03-13 12:00:27 +01:00
FindCronJob ${I}
2019-03-14 12:32:19 +01:00
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
2017-03-13 12:00:27 +01:00
LogText "cronjob[]=${I}"
done
fi
2014-08-26 17:33:55 +02:00
done
fi
fi
# Anacron
if [ "${OS}" = "Linux" ]; then
if [ -f /etc/anacrontab ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking anacrontab"
2017-05-31 15:40:39 +02:00
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
2019-07-16 13:20:30 +02:00
if [ -n "${sANACRONJOBS}" ]; then
2016-04-26 13:05:17 +02:00
Report "scheduler[]=anacron"
2017-03-13 12:00:27 +01:00
for I in ${sANACRONJOBS}; do
LogText "Found anacron job (/etc/anacrontab): ${I}"
Report "cronjob[]=${I}"
2016-04-26 13:05:17 +02:00
done
fi
2014-08-26 17:33:55 +02:00
fi
fi
2016-04-26 21:21:15 +02:00
# Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings).
if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)"
2019-03-14 12:32:19 +01:00
Display --indent 2 --text "- Checking crontab and cronjobs files" --result "${STATUS_WARNING}" --color RED
2016-04-26 21:21:15 +02:00
elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)"
2019-03-14 12:32:19 +01:00
Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_WARNING}" --color RED
2016-04-26 21:21:15 +02:00
else
2019-03-14 12:32:19 +01:00
Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_DONE}" --color GREEN
2016-04-26 21:21:15 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SCHD-7718
# Description : Check atd status
2016-07-24 17:22:00 +02:00
Register --test-no SCHD-7718 --weight L --network NO --category security --description "Check at users"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking atd status"
2016-08-25 15:31:33 +02:00
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: at daemon active"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
2015-07-22 17:37:11 +02:00
ATD_RUNNING=1
2016-04-26 13:05:17 +02:00
Report "scheduler[]=atd"
2017-03-13 12:00:27 +01:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: at daemon not active"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "${STATUS_NOT_RUNNING}" --color WHITE; fi
2015-07-22 17:37:11 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SCHD-7720
# Description : Check at users
# Notes : if at.allow exists, only users listed can schedule at jobs
# if at.allow does not exist, but at.deny does, everyone
# except the listed ones can schedule jobs. If both can't be
# found, only root can schedule jobs.
if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no SCHD-7720 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check at users"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
AT_UNKNOWN=0
case ${OS} in
2017-04-30 17:59:35 +02:00
FreeBSD) AT_ALLOW="${ROOTDIR}var/at/at.allow"; AT_DENY="${ROOTDIR}var/at/at.deny" ;;
HPUX) AT_ALLOW="${ROOTDIR}usr/lib/cron/at.allow"; AT_DENY="${ROOTDIR}usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="${ROOTDIR}etc/at.allow"; AT_DENY="${ROOTDIR}etc/at.deny" ;;
OpenBSD) AT_ALLOW="${ROOTDIR}var/cron/at.allow"; AT_DENY="${ROOTDIR}var/cron/at.deny" ;;
SunOS) AT_ALLOW="${ROOTDIR}etc/cron.d/at.allow"; AT_DENY="${ROOTDIR}etc/cron.d/at.deny" ;;
2015-12-21 21:17:15 +01:00
*) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;;
2014-09-09 14:49:37 +02:00
esac
2014-08-26 17:33:55 +02:00
if [ ${AT_UNKNOWN} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking for file ${AT_ALLOW}"
2014-09-09 14:49:37 +02:00
if [ -f ${AT_ALLOW} ]; then
FileIsReadable ${AT_ALLOW}
if [ ${CANREAD} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
2016-08-25 15:31:33 +02:00
FIND=$(${SORTBINARY} ${AT_ALLOW})
2017-04-30 17:59:35 +02:00
if IsEmpty "${FIND}"; then
2015-12-21 21:17:15 +01:00
LogText "Result: File empty, no users are allowed to schedule at jobs"
2017-03-13 12:00:27 +01:00
else
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Allowed at user: ${ITEM}"
2014-09-09 14:49:37 +02:00
done
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: can not read ${AT_ALLOW} (no permission)"
2014-09-09 14:49:37 +02:00
fi
2017-03-13 12:00:27 +01:00
else
LogText "Result: file ${AT_ALLOW} does not exist"
LogText "Test: checking for file ${AT_DENY}"
if [ -f ${AT_DENY} ]; then
FileIsReadable ${AT_DENY}
if [ ${CANREAD} -eq 1 ]; then
LogText "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
FIND=$(${SORTBINARY} ${AT_DENY})
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
2017-03-13 12:00:27 +01:00
LogText "Result: file is empty, no users are denied access to schedule jobs"
else
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Denied at user: ${ITEM}"
2017-03-13 12:00:27 +01:00
done
fi
else
LogText "Result: can not read ${AT_DENY} (no permission)"
fi
else
LogText "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
LogText "Note: only root can schedule at jobs"
AddHP 1 1
fi
2014-09-09 14:49:37 +02:00
fi
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking at users" --result "${STATUS_DONE}" --color GREEN
2017-03-13 12:00:27 +01:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking at users" --result "${STATUS_SKIPPED}" --color YELLOW
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SCHD-7724
# Description : Check scheduled at jobs
if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check at jobs"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Check scheduled at jobs"
2016-09-08 21:04:17 +02:00
FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
2017-04-30 17:59:35 +02:00
if HasData "${FIND}"; then
2015-12-21 21:17:15 +01:00
LogText "Result: found one or more jobs"
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
VALUE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
2016-05-03 12:40:26 +02:00
LogText "Found at job: ${VALUE}"
2014-09-09 14:49:37 +02:00
done
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN
2017-03-13 12:00:27 +01:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no pending at jobs"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_NONE}" --color GREEN
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
2019-03-14 12:32:19 +01:00
if [ -z "${LYNIS_CRONJOB}" ]; then
LogText "Result: no scheduled Lynis execution found (e.g. crontab, cronjob)"
else
LogText "Result: found scheduled Lynis execution (${LYNIS_CRONJOB})"
fi
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com